WASHINGTON (Reuters) - U.S. Senator Elizabeth Warren said on Friday she has begun an investigation into Equifax’s massive data breach, and along with 11 other Democratic senators, introduced a bill to allow consumers to freeze their credit for free.

Equifax came under increased pressure from lawmakers and U.S. states on Friday, while Canada said that it, too, was opening an investigation into a data breach that exposed sensitive information of some 143 million people.

Warren, who has built a reputation as a fierce consumer champion, also signaled in a letter to the Consumer Financial Protection Bureau, the agency she helped create in the wake of the 2007-2009 financial crisis, that it may require extra powers to ensure closer federal oversight of credit reporting agencies.

Warren also wrote letters to Equifax and rival credit monitoring agencies TransUnion and Experian, federal regulators and the Government Accountability Office to see if new federal legislation was needed to protect consumers.

Warren said the proposed bill would stop companies like Equifax from charging consumers to freeze their credit files. A credit freeze restricts access to an individual’s credit report, which prevents thieves from applying for credit using another person’s information.

Connecticut Attorney General George Jepsen and more than 30 others in a state group investigating the breach said that while Equifax has agreed to give free credit monitoring to hack victims, they asked Equifax to stop collecting any money to monitor or freeze credit.

“Selling a fee-based product that competes with Equifax’s own free offer of credit monitoring services to victims of Equifax’s own data breach is unfair,” Jepsen said.

Also on Friday, the chairman and ranking member of the Senate subcommittee on Social Security urged Social Security Administration to consider nullifying its contract with Equifax and consider making the company ineligible for future government contracts.

The two senators, Republican Bill Cassidy and Democrat Sherrod Brown, said they were concerned that personal information maintained by Social Security Administration may also be at risk because the agency worked with Equifax to build its E-Authentication security platform.

Equifax has reported that for 2016, state and federal governments accounted for 5 percent of its total revenue of $3.1 billion.

Equifax, which creates individual credit reports used by lenders to assess a consumer’s creditworthiness, has come under intense criticism for what has been described as a slow, inadequate and confusing response to the hack.

The company has hired public relations companies DJE Holdings and McGinn and Company to manage its response to the hack, PR Week reported. Equifax and the two PR firms declined to comment on the report.

400,000 BRITONS AFFECTED

Investors have dumped Equifax’s stock, with share prices down more than a third since the company disclosed the hack on Sept. 7. Shares shed another 3.8 percent on Friday to close at $92.98.

Equifax, which disclosed the breach more than a month after it learned of it on July 29, said at the time that thieves may have stolen the personal information of 143 million Americans in one of the largest hacks ever.

The problem is not restricted to the United States.

Equifax said on Friday that data on up to 400,000 Britons was stolen in the hack because it was stored in the United States. The data included names, email addresses and telephone numbers but not street addresses or financial data, Equifax said.

Canada’s privacy commissioner said on Friday that it has launched an investigation into the data breach. Equifax is still working to determine the number of Canadians affected, the Office of the Privacy Commissioner of Canada said in a statement.

In her letters to the regulators, Warren questioned the overall regulatory framework for credit reporting agencies, which are not subject to the same scrutiny as mortgage lenders or credit card providers.

The CFPB supervises credit reporting firms’ compliance with consumer protection laws but does not directly license or intensively monitor the companies.